The past several weeks have been exciting ones for the industrial cybersecurity community, even if the general reaction was hardly one of surprise.
Ransomware finally struck U.S. critical infrastructure in a very public way—first shutting down Colonial Pipeline operations and bringing long lines to East Coast filling stations, the likes of which we've not seen since the 1973 OPEC oil embargo. Close on the heels of the Colonial attack, another on JBS Foods, the world's largest meat processor, disrupted operations at the company's U.S., Canadian and Australian facilities.
Oil and food supplies of course qualify as critical infrastructure—especially in America, where folks are unlikely to suffer fools lightly who mess with their red meat and pickup trucks. All kidding aside, the highly publicized attacks, credited to criminal agents "most likely in Russia," ignited a cybersecurity uproar that quickly reached all the way to the White House and, as of presstime, continues to escalate.
The May 6 Colonial Pipeline hack was quickly followed by an Executive Order issued by President Biden on May 12. The order on "Improving the Nation's Cybersecurity" focused primarily on critical infrastructure providers' IT systems, although the need to also protect "operational technology (OT)" was mentioned a handful of times.
Joe Weiss, author of the Unfettered cybersecurity blog on our ControlGlobal.com website, said he was "pleased to see cybersecurity receiving attention at the presidential level, but was disappointed the Executive Order didn't address the unique issues associated with control systems."
But the specific needs of control systems may well be swept along with rapidly evolving events, such as the June 2 open letter from the White House that urged private companies to take "immediate steps” to better protect themselves against ransomware attacks.
The open letter to corporate executives and business leaders from the National Security Council’s top cyber official stated that strengthening the nation’s resistance to cyberattacks is a top priority for the Biden administration. Anne Neuberger, deputy national security adviser for cyber and emerging technology, also stressed that the private sector has a distinct and key responsibility as "hackers shift their attention from stealing data to disrupting operations."
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” said Neuberger. “But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy.”
Outlined in a White House memo, these relatively basic yet essential measures include:
- Multifactor authentication,
- Regular data back-ups,
- Segregation of backup systems from primary networks, and
- Penetration testing to detect and correct vulnerabilities.
Neuberger also urged organizations to think ahead about how they would react should their networks be taken hostage with ransomware.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world," Neuberger wrote in the letter, "is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."
President Biden is expected to discuss Russia's apparent tolerance of the ransomware attackers when he meets later this month with President Putin. He has also indicated that he'll consider other measures such as making formerly voluntary cybersecurity measures a legal requirement. Who knows? Perhaps in the end the process industries will benefit from some of those infrastructure dollars being haggled over in Congress.